include <tunables/global>
+# attach_disconnected is needed here because this service runs with systemd's
+# PrivateTmp=true
+
profile ubuntu_pro_apt_news flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
capability setgid,
capability setuid,
capability dac_read_search,
+ # GH: 3079
+ capability dac_override,
/etc/apt/** r,
/etc/default/apport r,
/etc/ubuntu-advantage/* r,
- /usr/bin/python3.{1,}[0-9] mrix,
-
- /usr/lib/apt/methods/http mrix,
- /usr/lib/apt/methods/https mrix,
- /usr/lib/ubuntu-advantage/apt_news.py r,
+ # GH: #3109
+ # Allow reading the os-release file (possibly a symlink to /usr/lib).
+ /{etc/,usr/lib/,lib/}os-release r,
+
+ /{,usr/}bin/python3.{1,}[0-9] mrix,
+ # "import uuid" in focal triggers an uname call
+ # And also see LP: #2067319
+ /{,usr/}bin/uname mrix,
+
+ /{,usr/}lib/apt/methods/http mrix,
+ /{,usr/}lib/apt/methods/https mrix,
+ /{,usr/}lib/ubuntu-advantage/apt_news.py r,
/usr/share/dpkg/* r,
/var/log/ubuntu-advantage.log rw,
/var/lib/ubuntu-advantage/** r,
/tmp/** r,
owner @{PROC}/@{pid}/fd/ r,
+ @{PROC}/@{pid}/status r,
@{PROC}/@{pid}/cgroup r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/ubuntu_pro_apt_news>
}
\ No newline at end of file
--- /dev/null
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+# attach_disconnected is needed in all profiles defined here because this
+# service runs with systemd's PrivateTmp=true
+
+profile ubuntu_pro_esm_cache flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/openssl>
+ include <abstractions/python>
+ include <abstractions/user-tmp>
+
+ capability chown,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability kill,
+ capability setgid,
+ capability setuid,
+
+ signal send set=int peer=ubuntu_pro_esm_cache//apt_methods,
+ signal send set=int peer=ubuntu_pro_esm_cache//apt_methods_gpgv,
+
+ /etc/apt/** r,
+ /etc/machine-id r,
+ /etc/ubuntu-advantage/uaclient.conf r,
+ # GH: #3109
+ # Allow reading the os-release file (possibly a symlink to /usr/lib).
+ /{etc/,usr/lib/,lib/}os-release r,
+
+ /run/ubuntu-advantage/ rw,
+ /run/ubuntu-advantage/** rw,
+
+ /run/systemd/container/ r,
+ /run/systemd/container/** r,
+
+ /{,usr/}bin/apt mrix,
+ /{,usr/}bin/apt-cache mrix,
+ /{,usr/}bin/ischroot mrix,
+ /{,usr/}bin/python3.{1,}[0-9] mrix,
+ # LP: #2067319
+ /{,usr/}bin/uname mrix,
+
+ /{,usr/}bin/cloud-id Cx -> cloud_id,
+ # LP: #2067319
+ /{,usr/}bin/ps Cx -> ps,
+ /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt,
+ /{,usr/}bin/dpkg Cx -> dpkg,
+ /{,usr/}bin/ubuntu-distro-info Cx -> ubuntu_distro_info,
+ /{,usr/}lib/apt/methods/gpgv Cx -> apt_methods_gpgv,
+ /{,usr/}lib/apt/methods/http Cx -> apt_methods,
+ /{,usr/}lib/apt/methods/https Cx -> apt_methods,
+ /{,usr/}lib/apt/methods/store Cx -> apt_methods,
+ # when there is no status.json cached, esm-cache.service will invoke "snap status"
+ /{,usr/}bin/snap PUx,
+
+ /usr/share/dpkg/** r,
+ /usr/share/keyrings/* r,
+
+ /var/cache/apt/** rw,
+
+ /var/lib/apt/** r,
+ /var/lib/dpkg/** r,
+ /var/lib/ubuntu-advantage/** rwk,
+
+ /var/log/ubuntu-advantage.log rw,
+
+ @{PROC}/@{pid}/fd/ r,
+ @{PROC}/1/cgroup r,
+ @{PROC}/version_signature r,
+ @{PROC}/@{pid}/mountinfo r,
+ @{PROC}/@{pid}/status r,
+ @{PROC}/@{pid}/stat r,
+ @{PROC}/sys/kernel/osrelease r,
+
+
+
+ profile ps flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+
+ capability sys_ptrace,
+
+ # GH: #3079
+ capability dac_read_search,
+ capability dac_override,
+
+ # GH: #3119
+ ptrace (read,trace),
+
+ # LP: #2067319
+ /{,usr/}bin/ps mrix,
+
+ /dev/tty r,
+
+ @{PROC}/ r,
+ @{PROC}/@{pid}/** r,
+ @{PROC}/uptime r,
+ @{PROC}/sys/kernel/** r,
+ # GH: #3079
+ @{PROC}/tty/drivers r,
+ /sys/devices/system/node/ r,
+ /sys/devices/system/node/** r,
+ }
+
+ profile cloud_id flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/python>
+
+ ptrace read peer=unconfined,
+
+ /etc/cloud/** r,
+ /etc/apt/** r,
+ /etc/apport/** r,
+ /etc/ssl/openssl.cnf r,
+
+ @{PROC}/@{pid}/fd/ r,
+ @{PROC}/cmdline r,
+ @{PROC}/1/environ r,
+ @{PROC}/1/cmdline r,
+ @{PROC}/@{pid}/status r,
+
+ /run/cloud-init/** r,
+
+ /{,usr/}bin/ r,
+ /{,usr/}bin/cloud-id r,
+ /{,usr/}bin/python3.{1,}[0-9] mrix,
+ # LP: #2067319
+ /{,usr/}bin/uname mrix,
+
+ /usr/share/dpkg/** r,
+
+ # workarounds for
+ # https://gitlab.com/apparmor/apparmor/-/issues/346
+ # LP: #2067319
+ /{,usr/}bin/systemctl Px -> ubuntu_pro_esm_cache_systemctl,
+ /{,usr/}bin/systemd-detect-virt Px -> ubuntu_pro_esm_cache_systemd_detect_virt,
+
+ /var/lib/cloud/** r,
+
+
+
+ }
+
+ profile dpkg flags=(attach_disconnected) {
+ include <abstractions/base>
+
+ capability setgid,
+
+ /etc/dpkg/** r,
+
+ /{,usr/}bin/dpkg mr,
+
+ }
+
+ profile ubuntu_distro_info flags=(attach_disconnected) {
+ include <abstractions/base>
+
+ /{,usr/}bin/ubuntu-distro-info mr,
+
+ /usr/share/distro-info/** r,
+
+ }
+
+ profile apt_methods flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/ssl_certs>
+ include <abstractions/user-tmp>
+
+ capability setgid,
+ capability setuid,
+
+ network inet stream,
+ network inet6 stream,
+
+ signal receive set=int peer=ubuntu_pro_esm_cache,
+
+ / r,
+ /etc/dpkg/** r,
+
+ /{,usr/}lib/apt/methods/gpgv mr,
+ /{,usr/}lib/apt/methods/http mr,
+ /{,usr/}lib/apt/methods/https mr,
+ /{,usr/}lib/apt/methods/store mr,
+
+ /usr/share/dpkg/** r,
+
+ /var/lib/ubuntu-advantage/apt-esm/** rwk,
+
+ @{PROC}/@{pid}/cgroup r,
+ @{PROC}/@{pid}/fd/ r,
+
+ }
+
+ profile apt_methods_gpgv flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/ssl_certs>
+ include <abstractions/user-tmp>
+
+ capability setgid,
+ capability setuid,
+
+ signal receive set=int peer=ubuntu_pro_esm_cache,
+
+ / r,
+ /etc/dpkg/** r,
+
+ # there are just too many shell script tools that are called, like head,
+ # tail, cut, sed, etc
+ /{,usr/}bin/* mrix,
+
+ /{,usr/}lib/apt/methods/gpgv mr,
+
+ /usr/share/dpkg/** r,
+ /usr/share/keyrings/* r,
+
+ /var/lib/ubuntu-advantage/apt-esm/** r,
+
+ @{PROC}/@{pid}/fd/ r,
+
+ # apt-config command needs these
+ # Note: observed only in xenial tests, but makes sense for all releases
+ /etc/apt/** r,
+ /var/lib/apt/** r,
+
+ }
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/ubuntu_pro_esm_cache>
+}
+
+ # these profiles were initially subprofiles of cloud-id, but:
+ # a) that crashes the kernel
+ # https://gitlab.com/apparmor/apparmor/-/issues/346
+ # b) <= bionic doesn't like the // or - chars in profile names
+ # https://gitlab.com/apparmor/apparmor/-/commit/99755daafb8cfde4df542b66f656597a482129ac
+
+ profile ubuntu_pro_esm_cache_systemctl flags=(attach_disconnected) {
+ include <abstractions/base>
+
+ capability net_admin,
+ capability sys_ptrace,
+
+ ptrace read peer=unconfined,
+
+
+
+ # LP: #2067319
+ /{,usr/}bin/systemctl mr,
+
+ /run/systemd/private rw,
+ /run/systemd/** r,
+
+ @{PROC}/cmdline r,
+ # GH: #3119
+ @{PROC}/1/* r,
+ @{PROC}/@{pid}/stat r,
+ @{PROC}/sys/kernel/osrelease r,
+ # GH: 3119
+ /sys/firmware/efi/efivars/** r,
+ }
+
+ profile ubuntu_pro_esm_cache_systemd_detect_virt flags=(attach_disconnected) {
+ include <abstractions/base>
+
+ capability sys_ptrace,
+
+ ptrace read peer=unconfined,
+
+ /{,usr/}bin/systemd-detect-virt mr,
+
+ /run/systemd/** r,
+
+ /sys/devices/virtual/** r,
+ # GH: #3119
+ /sys/firmware/efi/efivars/** r,
+ @{PROC}/@{pid}/status r,
+ @{PROC}/@{pid}/stat r,
+ @{PROC}/1/environ r,
+ @{PROC}/1/sched r,
+ @{PROC}/cmdline r,
+ @{PROC}/1/cmdline r,
+ @{PROC}/sys/kernel/osrelease r,
+
+ }
\ No newline at end of file